Please note that Michael is running 1.4 which has an entirely different enforcer than 2.0. It is clear now that the signer can't sign the zone because you removed the signconf. And the enforcer isn't generating a signconf because it is stuck generating a new key.
It is hard to imagine anything else than permissions to be the problem here. Please check if ods-signerd actually runs as root and doesn't drop permissions. Also share your conf.xml with us/me if you can. Check the permissions on /etc/softhsm/softhsm.conf and the path mentioned in that file. It really seems like something is missing write permissions. Updating OpenDNSSEC will therefore not resolve your problems. After fixing this issue I would encourage you to update, but not right now. //Yuri On 18-01-17 20:12, PGNet Dev wrote: > On 01/18/2017 10:53 AM, Michael Grimm wrote: >> If I am not mistaken are those files in /usr/local/var/opendnssec/signconf >> rebuild after restarting opendnssec's deamons. > > here, with ods2, starting with a clean tree > > tree /var/opendnssec > /var/opendnssec > ├── [opendnssec 4096] enforcer > ├── [opendnssec 4096] raw > ├── [opendnssec 4096] signconf > ├── [opendnssec 4096] signed > ├── [opendnssec 4096] signer > └── [opendnssec 4096] unsigned > > after > > ods-enforcer-db-setup -f > Database setup successfully. > systemctl start ods-signerd > systemctl start ods-enforcerd > ods-enforcer policy import > Created policy default successfully > Created policy lab successfully > tree /var/opendnssec > /var/opendnssec > ├── [opendnssec 4096] enforcer > ├── [opendnssec 98304] kasp.db > ├── [opendnssec 4096] raw > ├── [opendnssec 4096] signconf > ├── [opendnssec 4096] signed > ├── [opendnssec 4096] signer > └── [opendnssec 4096] unsigned > > it's the add zone step that initially populates the signconf/ dir > > ods-enforcer zone add \ > --zone eample.com \ > --xml \ > --policy lab \ > --input /usr/local/etc/opendnssec/addns.xml \ > --output /usr/local/etc/opendnssec/addns.xml \ > --in-type DNS \ > --out-type DNS > > tree /var/opendnssec > /var/opendnssec > ├── [opendnssec 4096] enforcer > │ └── [opendnssec 2032] zones.xml > ├── [opendnssec 98304] kasp.db > ├── [opendnssec 4096] raw > ├── [opendnssec 4096] signconf >>>> │ └── [opendnssec 1168] example.com.xml > ├── [opendnssec 4096] signed > ├── [opendnssec 4096] signer > ... > > If I > > rm -f /var/opendnssec/signconf/* > systemctl restart ods-signerd > systemctl restart ods-enforcerd > > that's NOT sufficient to recreate the signconf/* > > tree /var/opendnssec > /var/opendnssec > ... > ├── [opendnssec 4096] raw >>>> ├── [opendnssec 4096] signconf > ├── [opendnssec 4096] signed > ├── [opendnssec 4096] signer > ... > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
